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We propose a method for extracting an errorless secret key in a continuous-variable quantum 
key distribution protocol, which is based on Gaussian modulation of coherent states and homodyne 
detection. The crucial feature is an eight-dimensional reconciliation method, based on the algebraic 
properties of octonions. Since the protocol does not use any postselection, it can be proven secure 
against arbitrary collective attacks, by using well-established theorems on the optimality of Gaussian 
attacks. By using this new coding scheme with an appropriate signal to noise ratio, the distance for 
secure continuous- variable quantum key distribution can be significantly extended. 



I. INTRODUCTION 

A major practical application of quantum information 
science is quantum key distribution (QKD) [3], which 
allows two distant parties to communicate with abso- 
lute privacy, even in the presence of an eavesdropper. 
Most QKD protocols encode information on discrete vari- 
ables such as the phase or the polarization of single pho- 
tons and are currently facing technological challenges, 
especially the limited performances of photodetectors in 
terms of speed and efficiency in the single photon regime. 
A way to relieve this constraint is to encode information 
on continuous variables such as the quadratures of coher- 
ent states which are easily generated and measured 
with remarkable precision by standard optical telecom- 
munication components. In such a protocol, Alice draws 
two random values Xa, Pa with a Gaussian distribu- 
tion A^O, Va) and sends a coherent state centered on 
(Xa, Pa) to Bob. Bob then randomly chooses one of the 
two quadratures and measures it with a homodyne de- 
tection. After the measurement, he informs Alice of his 
choice of quadrature. Alice and Bob then share corre- 
lated continuous variables from which a secret key can 
in principle be extracted, provided that the correlation 
between the shared data is high enough. This condition 
is the equivalent of the maximal error rate allowed for 
the BB84 protocol for example 0]. 

Currently, the main bottleneck of continuous-variable 
protocols lies in the classical post-processing of informa- 
tion, more precisely in the reconciliation step which is 
concerned with extracting all the available information 
from the correlated random variables shared by the le- 
gitimate parties at the end of the quantum part of the 
protocol. This classical step must not be underestimated 
since an imperfect reconciliation limits both the rate and 
the range of the protocol. 

Two different approaches have been used so far to ex- 
tract binary information from Gaussian variables. Slice 
reconciliation 0, 03] consists in quantizing continuous 
variables and then correcting errors on these discrete 



variables. It allows in principle to transmit more than 
1 bit per pulse, and to extract all the information avail- 
able, but only if the quantization takes place in R d with 
d ^> 1 , which results in an unacceptable increase of com- 
plexity in practice. Therefore the present protocols use 
d = 1, resulting in finite efficiency, which limits the range 
to about 30 km. The second approach uses the sign of 
the continuous variable to encode a bit, and it has the 
advantage of simplicity. It can also be efficient, at least 
in the case where the signal to noise ratio is low enough, 
so that less than 1 bit per pulse can be expected. But 
since the Gaussian distribution is centered around and 
most of the data have a small absolute value, it becomes 
difficult to discriminate the sign when the noise is im- 
portant. As a consequence, it has been proposed to use 
post-selection (fj, 0, @, H, Efl, El to get rid of the "low 
amplitude" data, and keep only the more meaningful 
"large amplitude" data. However, this approach has a 
major drawback: since the optimal attack against such 
a post-selected protocol is unknown, the secret rate can 
be calculated only for certain types of "restricted" at- 
tacks 0, El]. So the security is significantly weaker than 
the initial "non post-selected" Gaussian-modulated pro- 
tocol, where one can use the optimality of Gaussian at- 
tacks fl2l . [l3| in order to prove that the protocol is secure 
against arbitrary general collective attacks. 

Here we are interested in the problem of extending 
continuous-variable QKD over longer distances without 
post-selection, but with proven security. The main idea is 
as follows : whereas Gaussian random values are centered 
around 0, this is not the case for the norm of a Gaussian 
random vector. Such a vector lies indeed on a shell which 
gets thinner as the dimension of the space increases (see 
Fig. Q]). Thus, if one performs a clever rotation (see Fig. 
E]) before encoding the key in the sign of the coordinates, 
one automatically gets rid of the small absolute value 
coordinates without post-selection. Whereas this effect 
gets stronger and stronger for large dimensions, we will 
show that we are intrinsically limited to performing such 
rotations in M 8 . As we will show below, this is related 
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Figure 1: (Color online) Probability distributions 
x(l), x(2), x(4), x(8) °f the radius of a Gaussian vector 
of dimension 1, 2, 4 and 8. When the dimension goes to 
infinity, the distribution gets closer to a Dirac distribution. 
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Figure 2: (Color online) Consider two successive states Xi, X2 
sent by Alice: the states really sent correspond to Xi > 
0,X2 > 0. Figures a), b) and c) show the four possible states 
Bob needs to discriminate after Alice has sent him some side 
information over the classical authenticated channel, a) cor- 
responds to slice reconciliation 0, @|: the four states are well 
separated but the Gaussian symmetry is broken, b) corre- 
sponds to the case where the information is encoded on the 
sign of the Gaussian value 0|: the symmetry of the problem is 
preserved but some states are very close and thus difficult to 
discriminate, c) corresponds to the approach presented in this 
paper where the states are well separated and the symmetry 
is preserved. 



to the algebraic structure of octonions. For our purpose, 
working in R 8 is already a significant improvement since 
it allows to exchange secure secret keys over more than 50 
km, without post-selection, and with a reasonable com- 
plexity for the reconciliation protocol. 

The paper is organized as follows: Section [U presents 
the link between the reconciliation and the security of the 
protocol, Sec. Hill describes the reconciliation in the case 
of discrete variables QKD protocols, Sec. IIVI shows how 
to generalize this approach to Gaussian variables proto- 
cols, and Sec. |V] presents a realistic reconciliation proto- 
col for continuous-variable QKD, whose performance is 
analyzed in Sec. IVII 



II. RECONCILIATION AND SECURITY 

Let x and y be the classical random variables associ- 
ated with the measured quantities of the legitimate par- 
ties Alice and Bob, and let E be the quantum state in 
possession of the eavesdropper. It has been shown [l2l.[l3| 
that the theoretical secret key rate K obtained using one- 
way reconciliation is bounded from below by 

K>I{x:y)- S(x : E) = K th . 

Here I(x : y) and S(x : E) refer, respectively, to the 
Shannon mutual information between classical ran- 
dom values x and y and to the quantum mutual infor- 
mation [lH between a; and the quantum state E. Recall 
that S(x : E) can also be seen as the Holevo quantity 
associated to the quantum measurements performed by 
Eve. The above bound corresponds to the case where 
Alice and Bob are "classical" whereas Eve is "quantum", 
which means that Eve is allowed to use a quantum mem- 
ory and a quantum computer to perform her attack. This 
secret key rate is valid for one-way reconciliation: the 
classical communication between Alice and Bob is there- 
fore restricted to be unidirectional, and not interactive. 
For the protocol described above, the quantum mutual 
information between Bob and Eve is smaller than be- 
tween Alice and Eve. As a consequence, one will use 
reverse reconciliation 0: the final key is extracted from 
Bob's data, and Bob sends extra information to Alice on 
the authenticated classical channel to help her correct her 
"errors". The secret key rate if t h is secure against collec- 
tive attacks. Note that it is conjectured that, as it is the 
case for discrete variables protocols [If]], coherent attacks 
are not more powerful than collective attacks [H, 0, Gj} , 
which would imply that Kth is the secure key rate against 
the most general attacks allowed by quantum mechanics. 

An important property of the continuous-variable 
QKD is that for a reasonably low excess noise (which is 
the noise not directly caused by the losses), K t h remains 
strictly positive for any value of the transmission meaning 
that there is not any theoretical limitation to the range 
of this protocol. However K t h is relevant only in the case 
where one has access to a perfect reconciliation scheme, 
allowing Alice and Bob to extract all the information 
available in their correlated data. How should lf t h be 
modified in the case of a real-world imperfect reconcilia- 
tion scheme? In order to extract a secret from their data, 
Alice and Bob have access to a classical authenticated 
channel and have agreed on a particular code Cjv whose 
size is such that log 2 (N) < I(x;y). The principle of 
the reconciliation protocol is the following: Alice chooses 
randomly an element U € Cn and sends some informa- 
tion a to Bob who should be able to efficiently recover 
U from the knowledge of y and a, i.e., H(U\y,a) = 0, 
the conditional entropy of U given y and a is null, or 
equivalently I(U : y, a) = H(U). In this case, Alice and 
Bob have extracted a common string U from their data, 
which they will be able to turn into a secret key thanks to 
privacy amplification, but they have also given the extra 
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information a to the eavesdropper. As a consequence, 
the effective key rate after the reconciliation becomes: 

K > H(U) - S(U : E,a) = K Iesd . 

Unfortunately, one always has i^ rea i < -Kth and if rea i 
reaches for a finite channel transmission. In other 
words, the range of the protocol is limited because of 
the imperfect reconciliation. It should be noted that this 
is one of the main differences with discrete variables pro- 
tocols which are limited by technology, and more partic- 
ularly by the dark counts of the photodetectors. A real 
difficulty lies in the estimation of S(U : E,a). One speci- 
ficity of QKD is that it allows Alice and Bob to estimate 
an upper bound of S(x : E) by comparing a subset of 
their data. However it is generally impossible to deduce 
S(U : E,a) from it. One exception is when U and a are 
independent, in which case the following lemma applies. 

Lemma 1. Let A and B be two classical random val- 
ues, let E be a random quantum state. If A and B are 
independent, then S(A : E,B) < S(A, B : E). 

Proof. The chain rule for mutual quantum information 
reads: 

S(A, B:E) = S(B:E) + S(A : E\B) > S(A : E\B) 

where the inequality results from the non-negativity of 
mutual quantum information. Then, by definition of con- 
ditional mutual information, 

S{A:E\B) = S{A\B) - S(A\E,B) = S(A) - S{A\E,B) 
= S(A:E,B) 

where the second equality follows from independence of 
A and B. □ 

In the reconciliation protocol, U is chosen randomly by 
Alice, independently of x, meaning that S(x, U : E) = 
S(x : E). Then, since a is a function of x and U, the 
data-processing inequality gives S(U,a : E) < S(x : E). 
In addition, in the case where a is independent of U, 
lemma (JTJ) gives: S(U : E, a) < S(x : E). 

If one defines the efficiency of reconciliation j3 = yp^y , 
one obtains finally 

^real > PI(x ! V ) ~ S(x : E), 

which is the usual expression of the secret key rate taking 
into account the imperfect reconciliation protocol. 



III. RECONCILIATION OF BINARY 
VARIABLES 

Reconciliation is a means for Alice and Bob to extract 
available common information from their correlated data. 
In the case when the data consists of binary strings, it 
is very similar to the problem of channel coding where 



the goal is for Alice to send information to Bob through 
a noisy channel. Channel coding is solved by appropri- 
ately choosing subsets of binary strings: codes. When 
Alice restricts her messages to code words, Bob can re- 
cover them with high probability if the code size is not 
too large, given the channel noise. More precisely, Shan- 
non's theorem [l8[ states that the size of the code \C\ is 
bounded by the mutual information between Alice and 
Bob: log 2 (|C|) < I{x : y). The problem of channel cod- 
ing has been extensively studied during the past 60 years, 
but only recently were discovered codes almost achieving 
Shannon's limit while being efficiently decoded thanks to 
iterative algorithms: turbocodes [19] and Low Density 
Parity Check (LDPC) codes [13] • 



The main difference between reconciliation and chan- 
nel coding is that in the case of reconciliation, Alice does 
not choose what she sends and thus cannot restrict her 
messages to code words of a given code. However, if one 
wants to take advantage of the code formalism, know- 
ing what she sent, Alice can describe to Bob a code for 
which her word is a code word. Thus if Bob can guess 
what codeword Alice sent, they will effectively share a 
common sequence of bits. This is the method used for 
discrete QKD protocols. Indeed, given a linear code C 
and its parity check matrix H, the group F 2 = {0, 1}" of 
possible states sent by Alice can be seen as the product 
of code words and syndromes: if Alice sends x to Bob, 
she can tell him the syndrome of x which is H ■ x thus 
defining a coset code containing x. This coset code is the 
ensemble: {y £ F 2 \H ■ y = x}. An equivalent solution is 
for Alice to randomly choose a code word U from a given 
code and to send U © x = a to Bob where © represents 
the addition in the group F 2 . Bob then computes y © a 
which allows him to retrieve U if the code is well adapted 
to the channel between Alice and Bob. This coset coding 
scheme was initially suggested by Wyner (2l| . 



In a way, the side information (information sent by Al- 
ice over the classical authenticated channel) corresponds 
to a change of coordinates allowing one to transform the 
initial reconciliation problem into the well-known prob- 
lem of channel coding. 



Two properties are essential for this approach to work: 
first, the probability distribution of the states sent by 
Alice is uniform over F 2 ; second, the total space is a 
partition of the cosets of a linear code. Thus, any word 
can be seen as a unique codeword for a unique coset code 
and telling which coset code contains the word gives zero 
information about the codeword. The question is then 
whether or not it is possible to generalize this approach 
to continuous variables. 
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IV. RECONCILIATION OF GAUSSIAN 
VARIABLES 

A. Gaussian modulation 

One of the main differences between discrete and con- 
tinuous QKD protocols is the probability distribution 
of Alice's variables: the uniform distribution on F£ is 
changed into a nonuniform Gaussian distribution on R™. 
This is rather unfortunate since the uniformity of the 
distribution on F£ is an essential assumption in order to 
prove that the side information (e.g., the syndrome) Alice 
sends to Bob on the public channel does not give any rel- 
evant information to Eve about the code word chosen by 
Alice. An interesting property of the Gaussian distribu- 
tion Af(0, 1„) on R™ whose covariance matrix is the iden- 
tity is that it has a spherical symmetry in R™. In other 
words, if the vector x follows such a distribution, then the 
normalized random vector -pr has a uniform distribution 

\x\ 

on the unit sphere 5 n_1 of R™. Thus, spherical codes, 
codes for which all codewords lie on a sphere centered 
on 0, can play the same role for continuous-variable pro- 
tocols as binary codes for discrete protocols. Some very 
good codes are known for binary channels: LDPC codes 
and turbocodes both almost achieve the Shannon limit 
and can be efficiently decoded thanks to iterative decod- 
ing algorithms. Are there codes with similar qualities 
among the spherical codes? The answer is almost. There 
is indeed a canonical way to convert binary codes into 
binary spherical codes and this can be achieved thanks 
to the following mapping of F£ onto an isomorphic image 
in the n-dimensional sphere: 

F» - S"" 1 c K", (61, .. . , b n ) - ( tV± } . . . , t^l) . 

Then, as LDPC codes and turbocodes can both be op- 
timized for binary symmetric channels, they can also be 
optimized for a binary phase shift keying (BPSK) modu- 
lation, where the bit (1) is encoded into the amplitude 
+A (—A), and where the channel noise is considered to 
be additive white Gaussian noise (AWGN). Thus, one has 
access to a family of very good codes (in the sense that 
they are very close to the Shannon limit) for which very 
efficient iterative decoding algorithms are available. It is 
important to note that there are actually two different 
Shannon limits considered here depending on the modu- 
lation, BPSK or Gaussian modulation, but these limits 
become asymptotically close when the signal-to-noise ra- 
tio (SNR) is small. Thus, at low SNR, a binary code 
optimized for a BPSK modulation can almost achieve 
the Shannon limit for a Gaussian modulation. 

A remark is in order : the use of binary codes as de- 
scribed above limits the rate of the code to less than 1 
bit per channel use, whereas one of the interests of a 
Gaussian modulation is precisely to get rid of this limit. 
Actually, one could use nonbinary spherical codes, but 
their decoding is more complicated and thus slows down 



the reconciliation protocol. In addition, this is not really 
needed, since in the high loss scenario which interests us 
most here, the secret key rate is always much less than 1 
bit per channel use. Consequently the use of binary codes 
turns into an advantage, since they can be decoded very 
efficiently. In the low-loss case however, that is for short 
distances, one can hope to distill more than 1 bit per 
channel use, and the "usual" approach [13] will be more 
suitable than the one described in the present article (see 
also discussion in Sec. IVl|) . 

Now that we have a probabilistic space with a uniform 
probability distribution and a family of codes for this 
space, we need to see if the total space is a partition of 
a code and of its "generalized coset codes". First, the 
canonical hypercube of R™ (which is the image of F£ by 
the isomorphism defined above) is described as a parti- 
tion of a linear code and its cosets. The question that 
remains to be solved is whether or not the unit sphere is 
a partition of such hypercubes. Another way to see this 
problem is the following: given a random point in , 
is there a hypercube inscribed in the sphere for which 
this point is a vertex. Surely there are such hypercubes, 
many in fact. Actually, the manifold of these hypercubes 
is a [(n — l)(n — 2)/2]-dimensional manifold (this is the 
dimension of the subgroup of orthogonal group O n that 
transports the canonical hypercube onto the ensemble of 
hypercubes containing the point in question). 

Yet another way to express the problem is the follow- 
ing: given two points x,y G 5 n_1 , is it possible to find 
an orthogonal transformation mapping x to y? One can 
immediately think of transformations such as the reflec- 
tion across the mediator hyperplane of x and y. Unfor- 
tunately, such an orthogonal transformation gives some 
information about x and y as soon as n > 2 (this is 
linked to the phenomenon of concentration of measure 
for spheres in dimensions n > 2), and therefore cannot 
be used by Alice as legitimate side information, which 
should be independent from the key in order to fulfill the 
hypothesis of Lemma [U 

A correct solution would then be to randomly choose 
an orthogonal transformation with uniform probability 
in the ensemble of orthogonal transformations mapping 
x to y. This can be done in the following way: one first 
draws a random orthogonal transformation mapping x to 
some random x' . Then one composes this transformation 
with the reflection across the mediator hyperplane of x' 
and y. Although theoretically correct, this procedure is 
not doable in practice for n> 1 since generating a ran- 
dom orthogonal transformation on R™ is a computational 
demanding task requiring to draw annxn Gaussian ran- 
dom matrix and to calculate its QR decomposition (i.e., 
its decomposition into an orthogonal and a triangular 
matrix) which is an operation of complexity 0(n 3 ). 

A practical solution involves the following: for each 
word x G S™" 1 sent by Alice, for each code word 
U G S"" 1 chosen by Alice (not necessarily a binary code- 
word), there should exist an continuous application M 
of the variables x and U such that M(x, U) G O n and 
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M(x, U) ■ x = U. Then if Alice gives M(x, U) to Bob, 
one has the continuous equivalent of U®x in the discrete 
protocol. The following theorem shows that the existence 
of such an application M restricts the possible values of 
n to be 1, 2, 4 or 8. 

Theorem 2. // there exists a continuous application 

M : S"- 1 x S"- 1 -> O n , (x, y) » M(x, y) 

such that M(x,y) ■ x = y for all x,y € <S™ , then n = 
1, 2, 4 or 8. 

The proof of this theorem uses a result from Adams 
[23 |. which quantifies the number of independent vector 
fields on the unit sphere of R" : 

Theorem 3. Independent vector fields on S 71 ^ 1 (J.F. 
Adams, 1962). For n = a ■ 2 b with a odd and b = c + Ad, 
one defines p n = 2 C + 8d. Then the maximal number of 
linearly independent vector fields on is p n — 1. 

In particular, the only spheres for which there exist 
(n — 1) independent vector fields are the unit sphere of 
R, R 2 , M 4 and R 8 , which can respectively be seen as 
the units of the real numbers, the complex numbers, the 
quaternions and the octonions. 

Proof of Theorem [B The idea of the proof is to use the 
existence of such a continuous function M to exhibit a 
family of (n — 1) independent vector fields on S 71 ^ 1 . 

Let (ei, e%, . . . , e n ) be the canonical orthonormal basis 
of R™. For 1 < i < n, let Ui(x) = M(e n ,x) ■ e^. One has: 
u n (x) = x and 

(ui(x)\uj(x)) = ej M(e n ,x) T M(e n ,x)ej 

= Si.j since M(e n ,x) e O n 

Then, for x € S n ~ , ui(x), U2(x), . . . , u n -\(x) are (n — 
1) independent vector fields on S™^ 1 and finally n = 
1,2,4 or 8. □ 

V. ROTATIONS ON S 1 , S 3 AND S 7 

Now that we have proved that such an application M 
can only exist in R, R 2 , R and R 8 , we need to answer 
three more questions: does it exist? Can Alice compute it 
efficiently? Does it leak any information about the code- 
word to Eve? Note that the trivial case of R for which the 
unit sphere is { — 1,1} corresponds to the method where 
one encodes a bit in the sign of the Gaussian variable Q. 

A. Existence 

Let us start with the easiest case: R 2 . The existence 
of such an application M verifying M(x, y) ■ x = y for the 
unit circle is obvious: it is simply the rotation centered 



in O of angle Arg(y) — Arg(a;) where Arg(x) denotes the 
angle between x and the x-axis. An alternative way to 
see M is M(x,y) = yx^ 1 where x and y are identified 
with complex numbers of modulus 1. The same is true 
for dimensions 4 and 8 where S 3 and S 7 can respectively 
be identified with the quaternion units and the octonion 
units, and for which a valid division exists. 

B. Computation of M(x,y) 

For n = 2,4 and 8, there exists a (nonunique) fam- 
ily of n orthogonal matrices An ~ (A\, . . . , A„) of R raxra 
such that Ai = 1„, and for i, j > 1, {Ai, Aj} = —25ijl n 
where {A, B} is the anticommutator of A and B. An 
example of these families is explicitly given in the Ap- 
pendix. The following lemma shows how to use such a 
family to construct a continuous function M with the 
properties described above. 

Lemma 4. M(x,y) = cti(x, y)Ai with a.i(x,y) = 

i—l...n 

(Aix\y) is a continuous map from S n ~ 1 x to 0(n) 

such that M(x,y)x = y. 

Proof. First, because of the anticommutation property, 
one can easily check that the family (Ajx, A 2 x, . . . , A n x) 
is an orthonormal basis of R™ for any x £ 5 n_1 . Then, 
for any x, y G S n , y), . . . , a n (x, y)) are the co- 

ordinates of y in the basis (A\x, A 2 x, . . . , A n x). This 
proves that M(x,y)x = y. Finally, the orthogonality of 
M{x,y) follows from some simple linear algebra. □ 

Then a = (ai, . . . , a n ) is sufficient to describe M(x, y) 
and the computation of a 2 ; can be done efficiently since 
the matrices Ai are just permutation matrices with a 
change of sign for some coordinates. In the QKD proto- 
col, Alice chooses randomly u in a finite code and gives 
the value of a(x,u) to Bob, who is then able to com- 
pute M(x, u)y which is a noisy version of u. One should 
note that the final noise is just a "rotated" version of 
the noise Bob has on x: in particular, both noises are 
Gaussian with the same variance. 



C. No leakage of information 

In order to prove that a = M(x, u) does not give any 
information about u, one needs to show that u and a are 
independent, in other words that: Pr(u = Ui\M{x,u) = 
a) = Pr(u = Uj) = jf if one considers the spherical code 
Cn = {tii, ■ • ■ ,ujv}. This is true because x and u have 
uniform distributions (on and Cn respectively) and 
because the function: 

/„ : R" -> R n ,x i > f u {x) = a, with a l = (u\Aix) 

has a constant Jacobian equal to 1 for each u £ Cn- To 
see this, one should note that the lines of the Jacobian 
matrix of f u are the Af u which form an orthonormal 
basis of R". 



VI. APPLICATION TO THE 
CONTINUOUS-VARIABLE QKD 

Now that we have explained how efficient reconcili- 
ation of correlated Gaussian variables can be achieved 
with rotations in R 8 , let us look at the implications for 
the continuous-variable QKD. 

At the end of the quantum part of the continuous- 
variable QKD protocol, Alice and Bob share correlated 
random values and their correlation depends on the vari- 
ance of the modulation of the coherent states and on 
the properties of the quantum channel. The channel can 
safely be assumed to be Gaussian since it corresponds to 
the case of the optimal attack for Eve. This means that it 
can be entirely characterized by its transmission and ex- 
cess noise. Both these parameters are accessible to Alice 
and Bob through an estimation step prior to the recon- 
ciliation [lfj]- Once these parameters are known, one can 
calculate the signal-to-noise ratio (SNR) of the transmis- 
sion, which is the ratio between the variance of the sig- 
nal (the variance of the Gaussian modulation of coherent 
states in our case) and the variance of the noise (noise in- 
duced by losses as well as excess noise) . The SNR quanti- 
fies the mutual information between Alice and Bob when 
a Gaussian modulation is sent over a Gaussian channel: 

I(^:S) = ilog 2 (l + SNR). 

Note also that the efficiency of the reconciliation only de- 
pends on the correlation between Alice's and Bob's data, 
that is, on the SNR. Thus, for a given transmission and 
excess noise, the secret key rate is a function of the SNR, 
which can be optimized by changing the variance of the 
modulation of the coherent states. 

It is not easy to know exactly how the efficiency of 
reconciliation depends on the SNR. However, each rec- 
onciliation technique performs better for a certain range 
of SNR: slice reconciliation is usually used for a SNR 
around 3 [12] while rotations in R 8 are optimal for a low 
SNR, typically around 0.5. 

Figure[3]shows the performance of rotations in R 8 com- 
pared to slice reconciliation for the experimental parame- 
ters of the QKD system developed at Institut d'Optique. 
Both approaches achieve comparable reconciliation effi- 
ciencies (around 90%) but for different SNR. One can 
observe two distinct regimes: for low loss, i.e., short dis- 
tance, slice reconciliation is better but only rotations in 
R 8 allow QKD over longer distances (over 50 km with 
the current experimental parameters). 

Concerning the complexity of the reconciliation, one 
should be aware that almost all the computing time is de- 
voted to decoding the efficient binary codes, either LDPC 
codes or turbocodes. Compared to this decoding, the ro- 
tation in R 8 takes a negligible amount of time. Thus, the 
complexity of the reconciliation presented here is smaller 
than the one of slice reconciliation since the latter uses 
several codes (one code per slice). 
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Figure 3: (Color online) Performance of slice reconciliation 
vs rotation in R 8 . Experimental parameters: excess noise 
referred to the channel input £ = 0.005, efficiency of Bob's 
detector r\ = 0.606 and electronic noise at Bob's side V e i ec = 
0.041 [22l |. The reconciliation based on rotations in R 8 uses a 
LDPC code of rate 0.26 [H] 



VII. CONCLUSION 

We presented a protocol for the reconciliation of corre- 
lated Gaussian variables. Currently, the main bottleneck 
of continuous-variable QKD lies in the impossibility for 
Alice and Bob to extract efficiently all the information 
available, this difficulty resulting in both a limited range 
and a limited rate for the key distribution. The method 
described in this article is particularly well adapted for 
low signal-to-noise ratios, which is the situation encoun- 
tered when one wants to perform QKD over long dis- 
tances. By taking into account the current experimental 
parameters of the QKD link developed at the Institut 
d'Optique [22], one shows that this new reconciliation al- 
lows QKD over more than 50 km. Moreover, contrary 
to other protocols that have been proposed to increase 
the range of continuous-variable QKD, this protocol does 
not require any post-selection. Hence, the sec urity proofs 
based on the optimality of Gaussian attacks [12, LL3| re- 
main valid, meaning that the protocol is secure against 
general collective attacks. 
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Appendix: EXAMPLES OF FAMILIES Ai, A 4 AND 

A 8 

1. Notations 

Let us introduce the following 4 2x2 matrices 
'1 0' 
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> Kl = [i l)' K2 = ( i o 1 ) 



1 



q ^1 and the tensor product K^^.^ ~Ki 1 ®..®Ki l 
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